Tunnel using EC2 instance connect

Author: qrilka

modules/ec2-connect-tunnel/README.md

@@ -0,0 +1,6 @@
+# EC2 Instance Connect tunnel
+
+Creates a s single node ASG (using the `singe-node-asg` module) allowing SSH
+connections using [EC2 Instance Connect](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html).
+Assumes Ubuntu AMI to be used (`ec2-instance-connect` gets installed using
+`apt`). Use `ec2-connect-role` to setup an IAM role for SSH access.

modules/ec2-connect-tunnel/iam.tf

@@ -0,0 +1,5 @@
+# allows connecting with SSM manager
+resource "aws_iam_role_policy_attachment" "ssm_instance" {
+  role       = module.asg.asg_iam_role_name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}

modules/ec2-connect-tunnel/main.tf

@@ -0,0 +1,20 @@
+module "asg" {
+  source  = "../single-node-asg"
+
+  region    = var.region
+  ami       = var.ami
+  key_name  = ""
+  instance_type = var.instance_type
+  name_prefix   = var.name_prefix
+  name_suffix   = var.name_suffix
+
+  security_group_ids = [module.tunnel-sg.id]
+  subnet_id          = var.subnet_id
+  data_volumes       = []
+  assign_eip         = true
+
+  init_suffix = <<END_INIT_SUFFIX
+echo "Installing ec2-instance-connect"
+apt install ec2-instance-connect
+END_INIT_SUFFIX
+}

modules/ec2-connect-tunnel/outputs.tf

@@ -0,0 +1,4 @@
+output "public_ip" {
+  value       = module.asg.eip_address
+  description = "Public IP of the tunnel"
+}

modules/ec2-connect-tunnel/sg.tf

@@ -0,0 +1,21 @@
+module "tunnel-sg" {
+  source      = "../security-group-base"
+  name        = "${var.name_prefix}-sg"
+  description = "SG for the tunnel ASG"
+  vpc_id      = var.vpc_id
+  extra_tags  = var.extra_tags
+}
+
+module "ssh-port-sg-rule" {
+  source            = "../single-port-sg"
+  security_group_id = module.tunnel-sg.id
+  cidr_blocks       = ["0.0.0.0/0"]
+  port              = 22
+  description       = "SSH from anywhere"
+}
+
+# security group rule to open egress (outbound from nodes)
+module "allow-open-egress" {
+  source            = "../open-egress-sg"
+  security_group_id = module.tunnel-sg.id
+}

modules/ec2-connect-tunnel/variables.tf

@@ -0,0 +1,41 @@
+variable "name_prefix" {
+  description = "Prefix for naming resources, usually project-related"
+  type        = string
+}
+
+variable "name_suffix" {
+  description = "suffix to include when naming the various resources"
+  type        = string
+  default     = ""
+}
+
+variable "region" {
+  description = "The AWS region to deploy to"
+  type        = string
+}
+
+variable "ami" {
+  description = "The base AMI for each AWS instance created"
+  type        = string
+}
+
+variable "instance_type" {
+  description = "The type of AWS instance (size)"
+  type        = string
+}
+
+variable "vpc_id" {
+  description = "ID of VPC to associate SG with"
+  type        = string
+}
+
+variable "subnet_id" {
+  description = "The ID of the subnet to use, depends on the availability zone"
+  type        = string
+}
+
+variable "extra_tags" {
+  description = "map of name,value pairs to tag the security group (append to Name tag)"
+  default     = {}
+  type        = map(string)
+}